Postfix + sasldb 問題（截至 2021 年 3 月已解決）

PS（已解決：截至 2021 年 3 月的 Alpine Linux 解決方案，cyrus-sasl 2.1.27-r12 中的修復位於邊緣分支中。3.13 只有 cyrus-sasl 2.1.27-r10。

PS：我知道有類似的文章，但它們非常過時，就像 2015 年一樣。我的問題是 2021 年，去年還在工作。

我在 alpine:edge docker 容器中使用帶有 sasldb2 的後綴。但最近（2021 年 1 月）我發現它停止工作了。情況很奇怪，因為相同的 /etc/sasl2/sasldb2 文件適用於 saslauthd，但如果我使用 auxprop 設置則不會。

使用 sasldb2（不工作）

/etc/sasl2/smtpd.conf

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN

後綴日誌：

Jan 17 07:46:07 johnsiu postfix/smtpd[108]: connect from mail-ej1-x635.google.com[2a00:1450:4864:20::635]
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: warning: SASL authentication failure: Couldn't fetch entry from /etc/sasl2/sasldb2
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: warning: SASL authentication failure: Password verification failed
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: warning: mail-ej1-x635.google.com[2a00:1450:4864:20::635]: SASL PLAIN authentication failed: generic failure
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: lost connection after AUTH from mail-ej1-x635.google.com[2a00:1450:4864:20::635]
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: disconnect from mail-ej1-x635.google.com[2a00:1450:4864:20::635] ehlo=2 starttls=1 auth=0/1 commands=3/4

使用 saslauthd（工作）

/etc/sasl2/smtpd.conf    
pwcheck_method: saslauthd
mech_list: PLAIN

手動執行 saslauthd：

saslauthd -a sasldb -d

輸出：

saslauthd[125] :num_procs : 5
saslauthd[125] :mech_option: NULL
saslauthd[125] :run_path : /run/saslauthd
saslauthd[125] :auth_mech : sasldb
saslauthd[125] :using accept lock file: /run/saslauthd/mux.accept
saslauthd[125] :master pid is: 0
saslauthd[125] :listening on socket: /run/saslauthd/mux
saslauthd[125] :using process model
saslauthd[125] :forked child: 126
saslauthd[125] :forked child: 127
saslauthd[125] :forked child: 128
saslauthd[125] :forked child: 129
saslauthd[125] :acquired accept lock

saslauthd[125] :released accept lock
saslauthd[129] :acquired accept lock
saslauthd[125] :auth success: [user=test] [service=smtp] [realm=example.org] [mech=sasldb]
saslauthd[125] :response: OK

後綴日誌：

Jan 17 07:48:41 johnsiu postfix/smtpd[120]: connect from mail-ej1-x631.google.com[2a00:1450:4864:20::631]
Jan 17 07:48:42 johnsiu postfix/smtpd[120]: disconnect from mail-ej1-x631.google.com[2a00:1450:4864:20::631] ehlo=2 starttls=1 auth=1 quit=1 commands=5

作業系統版本

# cat /etc/os-release

NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.13.0_alpha20201218
PRETTY_NAME="Alpine Linux edge"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"

已安裝的軟體包

apk list -I|sort

WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/edge/main: No such file or directory
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/edge/community: No such file or directory
alpine-baselayout-3.2.0-r8 x86_64 {alpine-baselayout} (GPL-2.0-only) [installed]
alpine-keys-2.2-r0 x86_64 {alpine-keys} (MIT) [installed]
apk-tools-2.12.0-r3 x86_64 {apk-tools} (GPL-2.0-only) [installed]
busybox-1.32.0-r8 x86_64 {busybox} (GPL-2.0-only) [installed]
ca-certificates-20191127-r5 x86_64 {ca-certificates} (MPL-2.0 AND MIT) [installed]
ca-certificates-bundle-20191127-r5 x86_64 {ca-certificates} (MPL-2.0 AND MIT) [installed]
cyrus-sasl-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-crammd5-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-digestmd5-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-gs2-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-gssapiv2-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-login-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-ntlm-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-scram-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
gdbm-1.19-r0 x86_64 {gdbm} (GPL-3.0-or-later) [installed]
heimdal-libs-7.7.0-r4 x86_64 {heimdal} (BSD-3-Clause) [installed]
icu-libs-67.1-r2 x86_64 {icu} (MIT ICU Unicode-TOU) [installed]
krb5-conf-1.0-r2 x86_64 {krb5-conf} (MIT) [installed]
libc-utils-0.7.2-r3 x86_64 {libc-dev} (BSD-2-Clause AND BSD-3-Clause) [installed]
libcom_err-1.45.6-r1 x86_64 {e2fsprogs} (GPL-2.0-or-later AND LGPL-2.0-or-later AND BSD-3-Clause AND MIT) [installed]
libcrypto1.1-1.1.1i-r0 x86_64 {openssl} (OpenSSL) [installed]
libgcc-10.2.1_pre1-r3 x86_64 {gcc} (GPL-2.0-or-later LGPL-2.1-or-later) [installed]
libsasl-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
libssl1.1-1.1.1i-r0 x86_64 {openssl} (OpenSSL) [installed]
libstdc++-10.2.1_pre1-r3 x86_64 {gcc} (GPL-2.0-or-later LGPL-2.1-or-later) [installed]
libtls-standalone-2.9.1-r1 x86_64 {libtls-standalone} (ISC) [installed]
lmdb-0.9.27-r0 x86_64 {lmdb} (OLDAP-2.8) [installed]
musl-1.2.2_pre6-r0 x86_64 {musl} (MIT) [installed]
musl-utils-1.2.2_pre6-r0 x86_64 {musl} (MIT BSD GPL2+) [installed]
ncurses-libs-6.2_p20210109-r0 x86_64 {ncurses} (MIT) [installed]
ncurses-terminfo-base-6.2_p20210109-r0 x86_64 {ncurses} (MIT) [installed]
postfix-3.5.8-r0 x86_64 {postfix} (IPL-1.0 EPL-2.0) [installed]
readline-8.1.0-r0 x86_64 {readline} (GPL-2.0-or-later) [installed]
scanelf-1.2.6-r1 x86_64 {pax-utils} (GPL-2.0-only) [installed]
sqlite-libs-3.34.0-r1 x86_64 {sqlite} (Public-Domain) [installed]
ssl_client-1.32.0-r8 x86_64 {busybox} (GPL-2.0-only) [installed]
tzdata-2020f-r0 x86_64 {tzdata} (Public-Domain) [installed]
zlib-1.2.11-r3 x86_64 {zlib} (Zlib) [installed]

我不確定這是 alpine 發行版問題、後綴問題還是 cyrus-sasl 問題。

我的 docker 容器：https ://hub.docker.com/repository/docker/jsiu/postfix

更新到 postfix 3.5.9-r0 後問題仍然存在。

---

測試結果：

/ # ls -lh /run/saslauthd/
total 4K
srwxrwxrwx    1 root     root           0 Feb 18 02:36 mux
-rw-------    1 root     root           0 Feb 18 02:36 mux.accept
-rw-------    1 root     root           4 Feb 18 02:36 saslauthd.pid

以下語法有效：

/ # testsaslauthd -f /run/saslauthd/mux -r **** -u **** -p ****

但以下不起作用：

/ # testsaslauthd -f /run/saslauthd/mux -s"smtpd" -u"****@****" -p"****"
0: NO "authentication failed"

嘗試了單引號，雙引號，無引號，空格，密碼但結果相同。

‘saslauthd -a sasldb -d’ 失敗嘗試的輸出：

/etc/postfix # saslauthd -a sasldb -d
saslauthd[195] :num_procs  : 5
saslauthd[195] :mech_option: NULL
saslauthd[195] :run_path   : /run/saslauthd
saslauthd[195] :auth_mech  : sasldb
saslauthd[195] :using accept lock file: /run/saslauthd/mux.accept
saslauthd[195] :master pid is: 0
saslauthd[195] :listening on socket: /run/saslauthd/mux
saslauthd[195] :using process model
saslauthd[195] :forked child: 196
saslauthd[196] :acquired accept lock
saslauthd[195] :forked child: 197
saslauthd[195] :forked child: 198
saslauthd[195] :forked child: 199


saslauthd[198] :acquired accept lock
saslauthd[196] :released accept lock
saslauthd[196] :auth failure: [user=****@****] [service=smtpd] [realm=] [mech=sasldb] [reason=Unknown]
saslauthd[196] :response: NO

這是一個錯誤。errnofor fetch 呼叫被另一個呼叫破壞。見：https ://github.com/cyrusimap/cyrus-sasl/pull/554

高山修復：https ://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/18576

編輯：截至 2021 年 3 月 10 日，合併並作為 2.1.27-r12 發佈到 Alpine Edge。

就像您建議的那樣，查明問題很重要。您的身份驗證鏈如下所示： postfix => (Cyrus) saslauthd => /etc/sasldb2

我建議您使用 testsaslauthd 命令測試 SASL：

testsaslauthd -f /run/saslauthd/mux -s"smtp" -u"test@example.org" -p"yourpass"
testsaslauthd -f /run/saslauthd/mux -s"smtp" -r"example.org" -u"test" -p"yourpass"

如果上述方法不起作用，請在此處發布輸出。

如果上述方法有效，您將獲得

0: OK "Success."

我們將不得不比 SASL 看得更遠。

引用自：https://serverfault.com/questions/1050452